6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2

Analysis

max time kernel
101s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2.exe
Size

776KB
MD5

729f4cd874c725f186cc1f402f607005
SHA1

566cc04dd55bf273d4dc233abb1923217ba541bd
SHA256

6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2
SHA512

5d8b9274bd9cc6ef097a363bdf43892795c4d909368ca314c30cc62d99b1eacd77caa15ac38df065110174bcd5a936251a23ae53ef4842a12d735e20fbfc9b3d
SSDEEP

12288:+Qnk3GDYKGcblxLWjcdg8ypYixxalgY28MYf7AJa:SAOcZIogMR2lYf7AE

Score

9^/10

aspackv2

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000600000001504d-68.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1376	instsrv.exe
1740	instsrv.exe

Loads dropped DLL 3 IoCs

pid	Process
2004	cmd.exe
2004	cmd.exe
2004	cmd.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EnableRDP.bat	cmd.exe
File created	C:\Windows\SysWOW64\DisableLAN.exe	cmd.exe
File created	C:\Windows\SysWOW64\SRVINSTW.EXE	cmd.exe
File created	C:\Windows\SysWOW64\srvany.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SRVINSTW.EXE	cmd.exe
File opened for modification	C:\Windows\sysWow64\instsrv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\instsrv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\srvany.exe	cmd.exe
File opened for modification	C:\Windows\sysWow64\DisableLAN.exe	cmd.exe
File opened for modification	C:\Windows\sysWow64\SRVINSTW.EXE	cmd.exe
File created	C:\Windows\SysWOW64\EnableRDP.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\TestServices.bat	cmd.exe
File created	C:\Windows\SysWOW64\instsrv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\DisableLAN.exe	cmd.exe
File opened for modification	C:\Windows\sysWow64\srvany.exe	cmd.exe
File created	C:\Windows\SysWOW64\disableLAN.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\disableLAN.bat	cmd.exe
File created	C:\Windows\SysWOW64\TestServices.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
892	schtasks.exe

Runs net.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2004	1572	6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2.exe	27
PID 1572 wrote to memory of 2004	1572	6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2.exe	27
PID 1572 wrote to memory of 2004	1572	6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2.exe	27
PID 1572 wrote to memory of 2004	1572	6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2.exe	27
PID 2004 wrote to memory of 1980	2004	cmd.exe	29
PID 2004 wrote to memory of 1980	2004	cmd.exe	29
PID 2004 wrote to memory of 1980	2004	cmd.exe	29
PID 2004 wrote to memory of 1980	2004	cmd.exe	29
PID 1980 wrote to memory of 2000	1980	net.exe	30
PID 1980 wrote to memory of 2000	1980	net.exe	30
PID 1980 wrote to memory of 2000	1980	net.exe	30
PID 1980 wrote to memory of 2000	1980	net.exe	30
PID 2004 wrote to memory of 1940	2004	cmd.exe	31
PID 2004 wrote to memory of 1940	2004	cmd.exe	31
PID 2004 wrote to memory of 1940	2004	cmd.exe	31
PID 2004 wrote to memory of 1940	2004	cmd.exe	31
PID 1940 wrote to memory of 1932	1940	net.exe	32
PID 1940 wrote to memory of 1932	1940	net.exe	32
PID 1940 wrote to memory of 1932	1940	net.exe	32
PID 1940 wrote to memory of 1932	1940	net.exe	32
PID 2004 wrote to memory of 892	2004	cmd.exe	33
PID 2004 wrote to memory of 892	2004	cmd.exe	33
PID 2004 wrote to memory of 892	2004	cmd.exe	33
PID 2004 wrote to memory of 892	2004	cmd.exe	33
PID 2004 wrote to memory of 1376	2004	cmd.exe	34
PID 2004 wrote to memory of 1376	2004	cmd.exe	34
PID 2004 wrote to memory of 1376	2004	cmd.exe	34
PID 2004 wrote to memory of 1376	2004	cmd.exe	34
PID 2004 wrote to memory of 1740	2004	cmd.exe	35
PID 2004 wrote to memory of 1740	2004	cmd.exe	35
PID 2004 wrote to memory of 1740	2004	cmd.exe	35
PID 2004 wrote to memory of 1740	2004	cmd.exe	35
PID 2004 wrote to memory of 664	2004	cmd.exe	36
PID 2004 wrote to memory of 664	2004	cmd.exe	36
PID 2004 wrote to memory of 664	2004	cmd.exe	36
PID 2004 wrote to memory of 664	2004	cmd.exe	36
PID 2004 wrote to memory of 1144	2004	cmd.exe	37
PID 2004 wrote to memory of 1144	2004	cmd.exe	37
PID 2004 wrote to memory of 1144	2004	cmd.exe	37
PID 2004 wrote to memory of 1144	2004	cmd.exe	37
PID 2004 wrote to memory of 2040	2004	cmd.exe	38
PID 2004 wrote to memory of 2040	2004	cmd.exe	38
PID 2004 wrote to memory of 2040	2004	cmd.exe	38
PID 2004 wrote to memory of 2040	2004	cmd.exe	38
PID 1320 wrote to memory of 1760	1320	taskeng.exe	40
PID 1320 wrote to memory of 1760	1320	taskeng.exe	40
PID 1320 wrote to memory of 1760	1320	taskeng.exe	40
PID 1320 wrote to memory of 1192	1320	taskeng.exe	42
PID 1320 wrote to memory of 1192	1320	taskeng.exe	42
PID 1320 wrote to memory of 1192	1320	taskeng.exe	42

C:\Users\Admin\AppData\Local\Temp\6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2.exe
"C:\Users\Admin\AppData\Local\Temp\6ca5dee4a1189205f8f1882366b7222266cd21622123589e3d41e456199544a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\securityTEST\TestServices.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\net.exe
    net user faymoadmin **61181122@AA /add /passwordchg:no /expires:never
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user faymoadmin **61181122@AA /add /passwordchg:no /expires:never
      4⤵
      PID:2000
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators faymoadmin /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators faymoadmin /add
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "SecurityRule" /tr C:\Windows\system32\DisableLAN.bat
    3⤵
    - Creates scheduled task(s)
    PID:892
- - C:\securityTEST\instsrv.exe
    instsrv.exe TestServices C:\Windows\system32\srvany.exe
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\securityTEST\instsrv.exe
    instsrv.exe TestServices2 C:\Windows\system32\DisableLAN.exe
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aimaService3\Parameters
    3⤵
    PID:664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Transfer\Parameters /v AppDirectory /d "C:\Windows\TestServices" /t reg_sz /f
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Transfer\Parameters /v Application /d "C:\Windows\TestServices\TestServices.bat" /t reg_sz /f
    3⤵
    PID:2040

C:\Windows\system32\taskeng.exe
taskeng.exe {59632A3A-CC90-4013-85CE-E5A053A2FCAD} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\system32\DisableLAN.bat"
  2⤵
  PID:1760
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\system32\DisableLAN.bat"
  2⤵
  PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DisableLAN.exe

Filesize
89KB

MD5
94ab675c6fb94dd454b4c2df1fea2936

SHA1
b90f6f7bff08610e80e6c53fd021e1104b651d2d

SHA256
33cf46eee318d10c31c3c3b8cbe828e6f44da84c7e48a845513c1bcd6c10bd55

SHA512
74591e53afe20c41fb68344cd97b255a8fe58bcf67fee56d01111fcc6573af26ecfcc6307b42741c8fd80460f7178e408b3b2d9e3ecbc85a8daec143bc23a282

Download Submit
C:\Windows\SysWOW64\srvany.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit
C:\securityTEST\DisableLAN.exe

Filesize
89KB

MD5
94ab675c6fb94dd454b4c2df1fea2936

SHA1
b90f6f7bff08610e80e6c53fd021e1104b651d2d

SHA256
33cf46eee318d10c31c3c3b8cbe828e6f44da84c7e48a845513c1bcd6c10bd55

SHA512
74591e53afe20c41fb68344cd97b255a8fe58bcf67fee56d01111fcc6573af26ecfcc6307b42741c8fd80460f7178e408b3b2d9e3ecbc85a8daec143bc23a282

Download Submit
C:\securityTEST\EnableRDP.bat

Filesize
238B

MD5
6ff341c2565cf455201c9feb87e94943

SHA1
2c304ceeaf4e85a252facdf0acd98964ddaa594a

SHA256
183a8e85c3fd5fcf699e79ccdbdd35e291f40b137a4db2b2286d33d1c5030f9e

SHA512
db021690abda2f4775128bf4485f455c20e8f3c0c1ff25502e30ada8f90afa13f91550ac88850f56e8021cda0d3ea9583de108fe47339ebda4b9bf371b35ed42

Download Submit
C:\securityTEST\SRVINSTW.EXE

Filesize
28KB

MD5
5ba572b7f4f82dafff96ecae0776e5f5

SHA1
8bc08214c9428fd219266e3830251d36dcc9ad2c

SHA256
052a7d324182dea66ae5ac8376ba150d28150283f80a943b13b67a49c8e38731

SHA512
290aa2d1e2b5a1dbf6e2b50a6d871034c45435be3dab02bf53236c2f72eecc33dd120c10590a965edaf7743dd43596f1bf23af1f6947eb096b191f4d7035c1ff

Download Submit
C:\securityTEST\TestServices.bat

Filesize
888B

MD5
2ba39db6ff2ceb46a3edc6b300a8279e

SHA1
2c3584af5e4c236ec108969822e6d34b3e762c17

SHA256
7fa8fee0b4cd7cd66792df6bde2776c2d85f9bf7abd0d6cbf283d99b1152bc42

SHA512
3259ac29467549478f1fc0ffd46055054b952acda6f3fabfd0bf90afb08709a751ed681591ac39f031838c45275b505432fb4cea7d4b44caceb27801ab94cb96

Download Submit
C:\securityTEST\disableLAN.bat

Filesize
1KB

MD5
9bc9ea304ea0ad915fd5b46b0a7200af

SHA1
42b46970b6550f46530690efe95fd9b7fdb6c057

SHA256
7f010c3ed5b31235bb8e706dd7c42547546fad1a4f671fb793df3db7fe0e4744

SHA512
22473e425fc6d266bcb3cdabf2ad36aea8eecb2965d457526f69b16f4ec829d2d603c9a1617a47bb155133f1a551e979054e15c9113593c4c66d7e351072de77

Download Submit
C:\securityTEST\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
C:\securityTEST\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
C:\securityTEST\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
C:\securityTEST\srvany.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit
\securityTEST\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
\securityTEST\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
\securityTEST\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
memory/1572-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads